Context Navigation

source: java/net/deterlab/abac/GENICredential.java @ 8375d4f

abac0-leakabac0-meimei-idmei-rt0-nmei_rt0tvf-new-xml

Last change on this file since 8375d4f was 675770e, checked in by Ted Faber <faber@…>, 12 years ago
Allow users to set validity periods.
Property mode set to `100644`
File size: 21.8 KB

Rev	Line
[3797bbe]	1	package net.deterlab.abac;
	2
	3	import java.io.*;
	4	import java.math.*;
	5	import java.text.*;
	6
	7	import java.util.*;
[fd40109]	8
[3797bbe]	9	import java.security.*;
	10	import java.security.cert.*;
	11
	12	import javax.xml.parsers.*;
	13	import javax.xml.transform.*;
	14	import javax.xml.transform.dom.*;
	15	import javax.xml.transform.stream.*;
	16
	17	import javax.xml.crypto.*;
	18	import javax.xml.crypto.dsig.*;
	19	import javax.xml.crypto.dsig.dom.*;
	20	import javax.xml.crypto.dsig.keyinfo.*;
	21	import javax.xml.crypto.dsig.spec.*;
	22
	23	import org.xml.sax.*;
	24	import org.w3c.dom.*;
	25
	26	/**
[a7f73b5]	27	* An ABAC credential formatted as an abac-type GENI credential.
[3797bbe]	28	* @author <a href="http://abac.deterlab.net">ISI ABAC team</a>
[4560b65]	29	* @version 1.4
[3797bbe]	30	*/
	31	public class GENICredential extends Credential implements Comparable {
	32	/** The signed XML representing this credential */
	33	protected Document doc;
[797bebe]	34
	35	/**
[61f21c5]	36	* X509KeySelector implementation from
	37	* http://www.outsourcingi.com/art-271-Programming-With-the-Java-XML-Digital-Signature-API.html
	38	* .
	39	*
	40	* Straight ahead extraction of a key from an X509 cert, but it is their
	41	* code and hard to improve on.
[797bebe]	42	*/
[e5ac25b]	43	static protected class X509KeySelector extends KeySelector {
[797bebe]	44	public KeySelectorResult select(KeyInfo keyInfo,
	45	KeySelector.Purpose purpose,
	46	AlgorithmMethod method,
	47	XMLCryptoContext context)
	48	throws KeySelectorException {
	49	Iterator ki = keyInfo.getContent().iterator();
	50	while (ki.hasNext()) {
	51	XMLStructure info = (XMLStructure) ki.next();
	52	if (!(info instanceof X509Data))
	53	continue;
	54	X509Data x509Data = (X509Data) info;
	55	Iterator xi = x509Data.getContent().iterator();
	56	while (xi.hasNext()) {
	57	Object o = xi.next();
	58	if (!(o instanceof X509Certificate))
	59	continue;
	60	final PublicKey key = ((X509Certificate)o).getPublicKey();
	61	// Make sure the algorithm is compatible
	62	// with the method.
	63	if (algEquals(method.getAlgorithm(), key.getAlgorithm())) {
	64	return new KeySelectorResult() {
	65	public Key getKey() { return key; }
	66	};
	67	}
	68	}
	69	}
	70	throw new KeySelectorException("No key found!");
	71	}
	72
	73	boolean algEquals(String algURI, String algName) {
	74	if ((algName.equalsIgnoreCase("DSA") &&
	75	algURI.equalsIgnoreCase(SignatureMethod.DSA_SHA1)) \|\|
	76	(algName.equalsIgnoreCase("RSA") &&
	77
	78	algURI.equalsIgnoreCase(SignatureMethod.RSA_SHA1))) {
	79	return true;
	80	} else {
	81	return false;
	82	}
	83	}
	84	}
	85
[3797bbe]	86	/**
	87	* Create an empty Credential.
	88	*/
	89	public GENICredential() {
[7f614c1]	90	super();
[3797bbe]	91	doc = null;
	92	}
	93	/**
	94	* Create a credential from a head and tail role. This credential has no
	95	* underlying certificate, and cannot be exported or used in real proofs.
	96	* make_cert can create a certificate for a credential initialized this
	97	* way.
	98	* @param head the Role at the head of the credential
	99	* @param tail the Role at the tail of the credential
	100	*/
	101	public GENICredential(Role head, Role tail) {
[7f614c1]	102	super(head, tail);
[3797bbe]	103	doc = null;
	104	}
	105
	106	/**
	107	* Do the credential extraction from an input stream. This parses the
	108	* certificate from the input stream and saves it. The contents must be
	109	* validated and parsed later.
	110	* @param stream the InputStream to read the certificate from.
[e5ac25b]	111	* @return the parsed XML document
[3797bbe]	112	* @throws IOException if the stream is unparsable
	113	*/
[e5ac25b]	114	static protected Document read_certificate(InputStream stream)
[3797bbe]	115	throws IOException {
	116	DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
	117	DocumentBuilder db = null;
[e5ac25b]	118	Document ldoc = null;
[3797bbe]	119
	120	if ( dbf == null )
	121	throw new IOException("Cannot get DocumentBuilderFactory!?");
	122	try {
[61f21c5]	123	/* Note this setting is required to find the properly
	124	* namespace-scoped signature block in the credential.
	125	*/
[797bebe]	126	dbf.setNamespaceAware(true);
[3797bbe]	127	if ( (db = dbf.newDocumentBuilder()) == null )
	128	throw new IOException("Cannot get DocumentBuilder!?");
[e5ac25b]	129	ldoc = db.parse(stream);
	130	ldoc.normalizeDocument();
	131	return ldoc;
[3797bbe]	132	}
	133	catch (IllegalArgumentException ie) {
[44896b5]	134	throw new IOException("null stream", ie);
[3797bbe]	135	}
	136	catch (SAXException se) {
[44896b5]	137	throw new IOException(se.getMessage(), se);
[3797bbe]	138	}
	139	catch (Exception e) {
[44896b5]	140	throw new IOException(e.getMessage(), e);
[3797bbe]	141	}
	142
	143	}
	144
[797bebe]	145	/**
	146	* Walk the document and set all instances of an xml:id attribute to be ID
	147	* attributes in terms of the java libraries. This is needed for the
	148	* signature code to find signed subsections. The "xml:id" is treated as
	149	* both a namespace free ID with a colon and as an "id" identifier in the
	150	* "xml" namespace so we don't miss it.
	151	* @param n the root of the document to mark
	152	*/
	153	static protected void setIDAttrs(Node n) {
	154	if ( n.getNodeType() == Node.ELEMENT_NODE) {
	155	Element e = (Element) n;
	156	String id = e.getAttribute("xml:id");
	157
	158	if ( id != null && id.length() > 0 )
	159	e.setIdAttribute("xml:id", true);
	160
	161	id = e.getAttributeNS("xml", "id");
	162	if ( id != null && id.length() > 0 )
	163	e.setIdAttributeNS("xml", "id", true);
	164	}
	165
	166	for (Node nn = n.getFirstChild(); nn != null; nn = nn.getNextSibling())
	167	setIDAttrs(nn);
	168	}
	169
	170	/**
	171	* Return the child of Node n that has the given name, if there is one.
	172	* @param n a Node to search
	173	* @param name the name to search for
	174	* @return a Node with the name, may be null
	175	*/
	176	static protected Node getChildByName(Node n, String name) {
	177	if (name == null ) return null;
	178
	179	for (Node nn = n.getFirstChild(); nn != null; nn = nn.getNextSibling())
	180	if ( nn.getNodeType() == Node.ELEMENT_NODE &&
	181	name.equals(nn.getNodeName())) return nn;
	182	return null;
	183	}
	184
	185	/**
	186	* Find the X509Certificate in the Signature element and convert it to an
	187	* ABAC identity. This assumes a KeyInfo in that section holding an
	188	* X509Data section containing the certificate in an X509Certificate
	189	* section. Any of that not being found will cause a failure. If the
	190	* Identity cannot be created a Gignature exception is thrown.
	191	* @param n a Node pointing to a Signature section
	192	* @return an Identity constructed frm the X509 Certificate
[44896b5]	193	* @throws MissingIssuerException if the Identity cannot be created from the
[797bebe]	194	* certificate.
	195	*/
[44896b5]	196	static protected Identity getIdentity(Node n)
	197	throws MissingIssuerException {
[797bebe]	198	Identity rv = null;
	199	Node nn = getChildByName(n, "KeyInfo");
	200	String certStr = null;
	201
	202	if ( nn == null ) return null;
	203	if ( ( nn = getChildByName(nn, "X509Data")) == null ) return null;
	204	if ( ( nn = getChildByName(nn, "X509Certificate")) == null ) return null;
	205	if ( ( certStr = nn.getTextContent()) == null ) return null;
	206	try {
	207	certStr = "-----BEGIN CERTIFICATE-----\n" +
	208	certStr +
	209	"\n-----END CERTIFICATE-----";
	210	return new Identity(new StringReader(certStr));
	211	}
	212	catch (Exception e) {
[44896b5]	213	throw new MissingIssuerException(e.getMessage(), e);
[797bebe]	214	}
	215	}
	216
[2405adf]	217	static protected Date getTime(Document d, String field)
[fd40109]	218	throws ABACException {
	219	Node root = null;
	220	Node n = null;
	221	SimpleDateFormat df = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ssz");
	222	Date date = null;
	223	String dstr = null;
	224
	225	if ( (root = getChildByName(d, "signed-credential")) == null)
	226	throw new CertInvalidException("No signed-credential element");
	227	if ( (n = getChildByName(root, "credential")) == null )
	228	throw new CertInvalidException("No credential element");
	229	if ( (n = getChildByName(n, field)) == null )
	230	throw new CertInvalidException("No " + field + " element");
	231
	232	if ( ( dstr = n.getTextContent()) == null )
	233	throw new CertInvalidException("No expires content");
	234
	235	dstr = dstr.replace("Z", "GMT");
	236	if ((date = df.parse(dstr, new ParsePosition(0))) == null)
	237	throw new CertInvalidException("Cannot parse date: "+
	238	n.getTextContent());
	239
[2405adf]	240	return date;
[fd40109]	241	}
	242
[3797bbe]	243	/**
	244	* Initialize a credential from parsed certificate. Validiate it against
	245	* the given identities and parse out the roles. Note that catching
	246	* java.security.GeneralSecurityException catches most of the exceptions
	247	* this throws.
	248	* @param ids a Collection of Identities to use in validating the cert
[44896b5]	249	* @throws CertInvalidException if the stream is unparsable
	250	* @throws MissingIssuerException if none of the Identities can validate the
[3797bbe]	251	* certificate
[44896b5]	252	* @throws BadSignatureException if the signature check fails
[3797bbe]	253	*/
	254	protected void init(Collection<Identity> ids)
[44896b5]	255	throws ABACException {
[3797bbe]	256
	257	XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
	258	NodeList nl = doc.getElementsByTagNameNS(XMLSignature.XMLNS,
[797bebe]	259	"Signature");
[3797bbe]	260	DOMValidateContext valContext = null;
	261	XMLSignature signature = null;
	262
	263	try {
	264
	265	if (nl.getLength() == 0)
[44896b5]	266	throw new CertInvalidException("Cannot find Signature element");
[3797bbe]	267
[797bebe]	268	setIDAttrs(doc);
	269	valContext = new DOMValidateContext(new X509KeySelector(),
	270	nl.item(0));
[3797bbe]	271	if ( valContext == null )
[44896b5]	272	throw new ABACException("No validation context!?");
[3797bbe]	273
	274	signature = fac.unmarshalXMLSignature(valContext);
	275	if (signature == null)
[44896b5]	276	throw new BadSignatureException("Cannot unmarshal signature");
[3797bbe]	277
	278	if (!signature.validate(valContext))
[44896b5]	279	throw new BadSignatureException("bad signature");
[3797bbe]	280
[7f614c1]	281	m_expiration = getTime(doc, "expires");
[2405adf]	282
[7f614c1]	283	if ( m_expiration.before(new Date()))
	284	throw new CertInvalidException("Certificate Expired " +
	285	m_expiration);
[fd40109]	286
[3797bbe]	287	load_roles();
	288
[797bebe]	289	id = getIdentity(nl.item(0));
	290
	291	if ( !ids.contains(id) ) ids.add(id);
	292
[3797bbe]	293	if (!id.getKeyID().equals(m_head.principal()))
[44896b5]	294	throw new MissingIssuerException("Issuer ID and left hand " +
	295	"side principal disagree");
	296	}
	297	catch (ABACException ae) {
	298	throw ae;
[3797bbe]	299	}
	300	catch (Exception e) {
[44896b5]	301	throw new BadSignatureException(e.getMessage(), e);
[3797bbe]	302	}
	303	}
	304
	305	/**
	306	* Parse a credential from an InputStream and initialize the role from it.
	307	* Combine read_credential(stream) and init(ids). Note that catching
	308	* java.security.GeneralSecurityException catches most of the exceptions
	309	* this throws.
	310	* @param stream the InputStream to read the certificate from.
	311	* @param ids a Collection of Identities to use in validating the cert
[44896b5]	312	* @throws CertInvalidException if the stream is unparsable
	313	* @throws MissingIssuerException if none of the Identities can validate the
[3797bbe]	314	* certificate
[44896b5]	315	* @throws BadSignatureException if the signature check fails
[3797bbe]	316	*/
	317	protected void init(InputStream stream, Collection<Identity> ids)
[44896b5]	318	throws ABACException {
	319	try {
[e5ac25b]	320	doc = read_certificate(stream);
[44896b5]	321	}
	322	catch (IOException e) {
	323	throw new CertInvalidException("Cannot parse cert", e);
	324	}
	325	if (doc == null) throw new CertInvalidException("Unknown Format");
[3797bbe]	326	init(ids);
	327	}
	328
	329	/**
	330	* Create a credential from an attribute cert in a file. Throws an
	331	* exception if the cert file can't be opened or if there's a format
	332	* problem with the cert. Note that catching
	333	* java.security.GeneralSecurityException catches most of the exceptions
	334	* this throws.
	335	* @param filename a String containing the filename to read
	336	* @param ids a Collection of Identities to use in validating the cert
[44896b5]	337	* @throws CertInvalidException if the stream is unparsable
	338	* @throws MissingIssuerException if none of the Identities can validate the
[3797bbe]	339	* certificate
[44896b5]	340	* @throws BadSignatureException if the signature check fails
[3797bbe]	341	*/
[4d5f56d]	342	GENICredential(String filename, Collection<Identity> ids)
[44896b5]	343	throws ABACException {
	344	try {
	345	init(new FileInputStream(filename), ids);
	346	}
	347	catch (FileNotFoundException e) {
	348	throw new CertInvalidException("Bad filename", e);
	349	}
	350	}
[3797bbe]	351
	352	/**
	353	* Create a credential from an attribute cert in a file. Throws an
	354	* exception if the cert file can't be opened or if there's a format
	355	* problem with the cert. Note that catching
	356	* java.security.GeneralSecurityException catches most of the exceptions
	357	* this throws.
	358	* @param file the File to read
	359	* @param ids a Collection of Identities to use in validating the cert
[44896b5]	360	* @throws CertInvalidException if the stream is unparsable
	361	* @throws MissingIssuerException if none of the Identities can validate the
[3797bbe]	362	* certificate
[44896b5]	363	* @throws BadSignatureException if the signature check fails
[3797bbe]	364	*/
[4d5f56d]	365	GENICredential(File file, Collection<Identity> ids)
[44896b5]	366	throws ABACException {
	367	try {
	368	init(new FileInputStream(file), ids);
	369	}
	370	catch (FileNotFoundException e) {
	371	throw new CertInvalidException("Bad filename", e);
	372	}
[3797bbe]	373	}
	374
	375	/**
	376	* Create a credential from an InputStream. Throws an exception if the
	377	* stream can't be parsed or if there's a format problem with the cert.
	378	* Note that catching java.security.GeneralSecurityException catches most
	379	* of the exceptions this throws.
	380	* @param s the InputStream to read
	381	* @param ids a Collection of Identities to use in validating the cert
[44896b5]	382	* @throws CertInvalidException if the stream is unparsable
	383	* @throws MissingIssuerException if none of the Identities can validate the
[3797bbe]	384	* certificate
[44896b5]	385	* @throws BadSignatureException if the signature check fails
[3797bbe]	386	*/
[4d5f56d]	387	GENICredential(InputStream s, Collection<Identity> ids)
[44896b5]	388	throws ABACException { init(s, ids); }
[3797bbe]	389
[61f21c5]	390	/**
[675770e]	391	* Encode the abac credential's XML and set the validity. This is straight
	392	* line code that directly builds the credential.
	393	* @param validity a long holding the number of seconds that the credential
	394	* is valid for.
[61f21c5]	395	* @return a Node, the place to attach signatures
[44896b5]	396	* @throws ABACException if any of the XML construction fails
[61f21c5]	397	*/
[675770e]	398	protected Node make_rt0_content(long validity) throws ABACException {
[61f21c5]	399	DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
	400	DocumentBuilder db = null;
[2405adf]	401	SimpleDateFormat df = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'");
[61f21c5]	402	StringBuffer expBuf = new StringBuffer();
	403
	404	/* This is a weirdness to cope with the GENI format. They have a naked
	405	* xml:id specifier without any namespace declarations in the
	406	* credential. Notice that this is the opposite of the setting used in
	407	* init to read a credential. */
	408	dbf.setNamespaceAware(false);
	409
	410	if ( dbf == null )
[44896b5]	411	throw new ABACException("Cannot get DocumentBuilderFactory!?");
[61f21c5]	412
	413	try {
	414	db = dbf.newDocumentBuilder();
	415	}
	416	catch (ParserConfigurationException pe) {
[44896b5]	417	throw new ABACException("Cannot get DocumentBuilder!?" +
	418	pe.getMessage(), pe);
[61f21c5]	419	}
	420
	421	doc = db.newDocument();
	422	if ( doc == null )
[44896b5]	423	throw new ABACException("No Document");
[61f21c5]	424
	425	Element root = doc.createElement("signed-credential");
	426	Element cred = doc.createElement("credential");
	427	Element sig = doc.createElement("signatures");
	428	Element e = doc.createElement("type");
	429	Node text = doc.createTextNode("abac");
	430
	431	doc.appendChild(root);
	432
	433	cred.setAttribute("xml:id", "ref0");
	434	/* So that the signing code can find the section to sign */
	435	cred.setIdAttribute("xml:id", true);
	436
	437	root.appendChild(cred);
	438	e.appendChild(text);
	439	cred.appendChild(e);
	440
[675770e]	441	m_expiration = new Date(System.currentTimeMillis() +
	442	(1000L * validity ));
[2405adf]	443	df.setTimeZone(new SimpleTimeZone(0, "Z"));
[675770e]	444	df.format(m_expiration, expBuf, new FieldPosition(0));
[61f21c5]	445	e = doc.createElement("expires");
	446	text = doc.createTextNode(expBuf.toString());
	447	e.appendChild(text);
	448	cred.appendChild(e);
	449
	450	e = doc.createElement("version");
	451	text = doc.createTextNode("1.0");
	452	e.appendChild(text);
	453	cred.appendChild(e);
	454
	455	e = doc.createElement("rt0");
	456	text = doc.createTextNode(m_head + "<-" + m_tail);
	457	e.appendChild(text);
	458	cred.appendChild(e);
	459
	460	root.appendChild(sig);
	461	return sig;
	462	}
	463
[3797bbe]	464	/**
[675770e]	465	* Create a certificate from this credential issued by the given identity
	466	* valid for the given time (in seconds). This is the signed XML ABAC
	467	* credential.
[3797bbe]	468	* @param i the Identity that will issue the certificate
[675770e]	469	* @param validity a long holding the number of seconds that the credential
	470	* is valid for.
[44896b5]	471	* @throws ABACException if xml creation fails
	472	* @throws MissingIssuerException if the issuer is bad
	473	* @throws BadSignatureException if the signature creation fails
[3797bbe]	474	*/
[675770e]	475	public void make_cert(Identity i, long validity)
[44896b5]	476	throws ABACException {
[61f21c5]	477	X509Certificate cert = i.getCertificate();
	478	KeyPair kp = i.getKeyPair();
	479	PublicKey pubKey = null;
	480	PrivateKey privKey = null;
	481	if ( cert == null )
[44896b5]	482	throw new MissingIssuerException("No credential in identity?");
[61f21c5]	483	if ( kp == null )
[44896b5]	484	throw new MissingIssuerException("No keypair in identity?");
[61f21c5]	485
	486	pubKey = kp.getPublic();
	487	if ((privKey = kp.getPrivate()) == null )
[44896b5]	488	throw new MissingIssuerException("No private ket in identity");
[61f21c5]	489
	490	XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
	491	Reference ref = null;
	492	SignedInfo si = null;
	493	KeyInfoFactory kif = fac.getKeyInfoFactory();
[152673d]	494
	495	/* The <Object> doesn't say much, but shuts the compiler up about
	496	* unchecked references. The lists are polymorphyc and the signature
	497	* libs expect that, so <Object> is the best we can do.
	498	*/
	499	List<Object> x509Content = new ArrayList<Object>();
	500	List<Object> keyInfo = new ArrayList<Object>();
[61f21c5]	501	x509Content.add(cert.getSubjectX500Principal().getName());
	502	x509Content.add(cert);
	503	X509Data xd = kif.newX509Data(x509Content);
	504	KeyValue kv = null;
	505
[3797bbe]	506	try {
[61f21c5]	507	kv = kif.newKeyValue(pubKey);
	508	}
	509	catch (KeyException ke) {
[44896b5]	510	throw new ABACException("Unsupported key format " +
	511	ke.getMessage(), ke);
[61f21c5]	512	}
	513
	514	Collections.addAll(keyInfo, kv, xd);
	515
	516	KeyInfo ki = kif.newKeyInfo(keyInfo);
[675770e]	517	Node sig = make_rt0_content(validity);
[61f21c5]	518
	519	try {
	520	ref = fac.newReference("#ref0",
[3797bbe]	521	fac.newDigestMethod(DigestMethod.SHA1, null),
	522	Collections.singletonList(
	523	fac.newTransform(Transform.ENVELOPED,
	524	(TransformParameterSpec) null)),
	525	null, null);
	526
[61f21c5]	527	si = fac.newSignedInfo(
[797bebe]	528	fac.newCanonicalizationMethod(
	529	CanonicalizationMethod.INCLUSIVE,
[3797bbe]	530	(C14NMethodParameterSpec) null),
	531	fac.newSignatureMethod(SignatureMethod.RSA_SHA1, null),
	532	Collections.singletonList(ref));
	533
[61f21c5]	534	DOMSignContext dsc = new DOMSignContext(privKey, sig);
[3797bbe]	535	XMLSignature signature = fac.newXMLSignature(si, ki);
	536	signature.sign(dsc);
	537	}
[61f21c5]	538	catch (Exception me) {
[44896b5]	539	throw new BadSignatureException(me.getMessage(), me);
[3797bbe]	540	}
	541
	542	}
	543
[675770e]	544	/**
	545	* Create a certificate from this credential issued by the given identity
	546	* valid for the default validity period. This is the signed XML ABAC
	547	* credential.
	548	* @param i the Identity that will issue the certificate
	549	* @throws ABACException if xml creation fails
	550	* @throws MissingIssuerException if the issuer is bad
	551	* @throws BadSignatureException if the signature creation fails
	552	*/
	553	public void make_cert(Identity i)
	554	throws ABACException {
	555	make_cert(i, defaultValidity);
	556	}
	557
[3797bbe]	558	/**
[44896b5]	559	* Load the roles off the attribute cert.
	560	* @throws CertInvalidException if the certificate is badly formatted
[3797bbe]	561	*/
[44896b5]	562	private void load_roles() throws CertInvalidException {
[3797bbe]	563	if ( doc == null )
[44896b5]	564	throw new CertInvalidException("No credential");
[3797bbe]	565
[3d667be]	566	NodeList nodes = doc.getElementsByTagName("type");
	567	Node node = null;
[3797bbe]	568	String roles = null;
	569
[3d667be]	570	if (nodes == null \|\| nodes.getLength() != 1)
	571	throw new CertInvalidException("More than one type element?");
	572
	573	node = nodes.item(0);
	574	if ( node == null )
	575	throw new CertInvalidException("bad rt0 element?");
	576
	577	if ( !"abac".equals(node.getTextContent()) )
	578	throw new CertInvalidException("Not an abac type credential");
	579
	580	nodes = doc.getElementsByTagName("rt0");
[3797bbe]	581	if (nodes == null \|\| nodes.getLength() != 1)
[44896b5]	582	throw new CertInvalidException("More than one rt0 element?");
[3797bbe]	583
[3d667be]	584	node = nodes.item(0);
[3797bbe]	585
	586	if ( node == null )
[44896b5]	587	throw new CertInvalidException("bad rt0 element?");
[3797bbe]	588
	589	if ( (roles = node.getTextContent()) == null )
[44896b5]	590	throw new CertInvalidException("bad rt0 element (no text)?");
[3797bbe]	591
	592	String[] parts = roles.split("\\s<--?\\s");
	593	if (parts.length != 2)
[44896b5]	594	throw new CertInvalidException("Invalid attribute: " + roles);
[3797bbe]	595
	596	m_head = new Role(parts[0]);
	597	m_tail = new Role(parts[1]);
	598	}
	599
	600	/**
	601	* Output the signed GENI ABAC certificate associated with this
	602	* Credential to the OutputStream.
	603	* @param s the OutputStream on which to write
	604	* @throws IOException if there is an error writing.
	605	*/
	606	public void write(OutputStream s) throws IOException {
	607	if ( doc == null )
	608	return;
	609	try {
	610	TransformerFactory tf = TransformerFactory.newInstance();
	611	Transformer t = tf.newTransformer();
	612	DOMSource source = new DOMSource(doc);
	613	StreamResult result = new StreamResult(s);
	614
	615	t.transform(source, result);
	616	s.flush();
	617	}
	618	catch (Exception e) {
[44896b5]	619	throw new IOException(e.getMessage(), e);
[3797bbe]	620	}
	621	}
	622	/**
	623	* Output the signed GENI ABAC certificate associated with this
[7b33c9b]	624	* Credential to the OutputStream.
	625	* @param fn a String, the file name on which to write
[3797bbe]	626	* @throws IOException if there is an error writing.
[44896b5]	627	* @throws FileNotFoundExeption if the file path is bogus
[3797bbe]	628	*/
	629	public void write(String fn) throws IOException, FileNotFoundException {
	630	write(new FileOutputStream(fn));
	631	}
	632
	633	/**
	634	* Return true if this Credential has a certificate associated. A jabac
	635	* extension.
	636	* @return true if this Credential has a certificate associated.
	637	*/
	638	public boolean hasCertificate() { return doc != null; }
	639
[f84d71e]	640	/**
[aaadefd]	641	* Return a CredentialCredentialFactorySpecialization for GENICredentials.
	642	* Used by the CredentialFactory to parse and generate these kind of
	643	* credentials. It basically wraps constuctor calls.
	644	* @return a CredentialFactorySpecialization for this kind of credential.
[f84d71e]	645	*/
[aaadefd]	646	static public CredentialFactorySpecialization
	647	getCredentialFactorySpecialization() {
	648	return new CredentialFactorySpecialization() {
[f84d71e]	649	public Credential[] parseCredential(InputStream is,
	650	Collection<Identity> ids) throws ABACException {
	651	return new Credential[] { new GENICredential(is, ids) };
	652	}
[aaadefd]	653	public Credential generateCredential(Role head, Role tail) {
	654	return new GENICredential(head, tail);
	655	}
[f84d71e]	656	};
	657	}
[3797bbe]	658	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: